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1 . INTRODUCTION 


Recently/  increasing  interest  has  been  shown  for  the  nuclear  surviv- 
ability of  fielded  and  developmental  tactical  Army  electronic 
equipments.  The  Harry  Diamond  Laboratories  (HDL) , Army  Materiel  Command* 
lead  laboratory  for  Nuclear  Weapons  Effects,  is  concerned  about  this 
problem,  to  more  intelligently  support  the  Project  Manager  (PM)  in 
development  programs  and  provide  Department  of  the  Army  (DA)  staff  with 
timely  information  on  the  vulnerability  of  current  inventory  items. 

Herein  is  addressed  a specific  and  limited  aspect  of  the  nuclear 
survivability  problem.  This  paper  is  in  response  to  a request  from  the 
Army  Director  of  Telecommunications  and  Command  and  Control  through  the 
Defense  Nuclear  Agency.  But  mciny  people  in  the  business  of  supporting 
the  development  of  military  hardware  could  benefit  from  an  outline  of 
the  model  development  cycle  and  the  real  world  pressures  and  processes. 
Most  of  the  statements  in  this  report  regarding  nuclear  survivability 
and  reliability  apply  equally  to  all  military  services. 

The  specific  problem  addressed  in  this  paper  is  the  association  of 
electronic  system  reliability  considerations  during  development  with  the 
equipment  survivability  to  transient  nuclear  radiation  effects  (TRE) 
(i.e./  neutrons,  gamma  dose,  gamma  dose  rate)  and  electromagnetic  pulse 
(EMP) . Specifically  excluded  are  the  problems  associated  with  nuclear 
blast  and  thermal  radiation,  since  these  effects  are  not  dependent  on 
electronic  piece-part  selection,  circuit  design,  or  circuit/subsystem 
interfaces.  Areas  covered  are  life  cycle  management,  reliability 
requirements,  military  standards  and  specifications  that  apply,  the 
considerations  of  semiconductor  technology,  and  the  nuclear  surviv- 
ability implications.  How  the  system  should  work  is  discussed,  and  the 
practical  problems  are  illustrated. 

2.  DISCUSSION 

2 . 1 Life  Cycle 

To  understand  the  framework  of  events  related  to  reliability, 
it  is  best  to  first  consider  the  life  cycle  for  developmental  hardware 
programs.  In  appendix  A,  there  is  a more  complete  discussion  of  the 
approved  Life  Cycle  System  Management  Model  (LCSMM) , which  includes  the 
documentation  and  decision  events.  The  LCSMM  that  applied  before 
1975  is  not  addressed  here,  since  the  differences  are  not  critical  to 
this  paper.  It  suffices  for  our  purposes  to  lay  out  the  general  flow  of 
events.  There  are  four  primary  phases:  (1)  conceptual,  (2)  validation, 
(3)  full-scale  development,  and  (4)  production  and  deployment. 


*Now  the  US  Army  Materiel  Development  and  Readiness  Command. 
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In  the  conceptual  phase , threat  projections , technological 
forecasts^  and  Joint  Service  and  Army  plans  are  examined  to  determine 
operational  capabilities  and  potential  materiel  systems  that  will 
improve  Army  effectiveness.  During  this  time,  the  technical  and 
economic  bases  for  proposed  systems  are  established  by  tradeoff  analyses 
through  the  development  and  evaluation  of  experimental  hardware 
(experimental  prototype/breadboard) . The  planning  and  experimental  work 
in  this  phase  is  designed  to  identify  the  critical  issues  and  problems 
that  must  be  addressed  in  the  subsequent  phases,  to  minimize  risks  and 
control  costs.  The  duration  of  this  phase  is  in  part  controlled  by  the 
resource  constraints  and  the  urgency  of  the  operational  threat.  What 
comes  out  of  this  phase  must  be  acceptable  and  credible  tradeoffs  among 
operational  needs,  performance  requirements,  cost,  and  schedule.  Since 
both  reliability  and  nuclear  survivability  are  performance  requirements, 
they  should  be  considered  in  this  first  phase.  The  cost  figures  used 
are  unit-production  cost  goals  in  fixed  fiscal  year  dollars. 

The  validation  phase  is  intended  to  verify  the  preliminary 
design  and  engineering,  reevaluate  the  tradeoffs,  and  validate  the 
hardware  concept  for  full-scale  development.  In  this  stage,  the 
advanced  development  (AD)  prototype  (brassboard)  is  made,  and  upon  its 
acceptance  as  a viable  and  necessary  equipment,  the  Required  Operational 
Capability  document  is  initiated.  During  this  validation  phase,  the 
first  formal  Research  and  Development  Acceptance  Test  (RDAT)  is 
performed  by  the  contractor,  and  the  first  set  of  Development  and 
Operational  Tests  (DT/OT)-I  is  initiated  by  the  Armed  Services.  These 
are  system  level  tests,  for  the  most  part.  Reliability  and/or  nuclear 
survivability  subassembly  and  piece-part  tests  by  the  Government  or  the 
contractor  in  both  the  conceptual  and  validation  phases  should  precede 
these  scheduled,  formal  tests.  The  results  of  the  RDAT  and  DT/OT  are 
used  to  estimate  the  proposed  system's  military  utility,  cost,  and 
performance  and  to  refine  the  configuration  prior  to  full-scale 
development.  These  advanced  development  prototypes  are  designed  to 
closely  represent  the  complete  system  to  permit  a thorough  evaluation 
and  tradeoff  analysis.  However,  the  quantity  and  level  of  prototype 
hardware  and  software  validation  is  very  much  dependent  on  the  nature  of 
the  program  and  the  risks  and  tradeoffs  involved.  In  fact,  more  than 
one  contractor  may  be  used  to  produce  AD  prototypes  if  resources  permit. 

In  the  full-scale  development  phase,  the  engineering  problems 
are  to  be  identified  and  solved  so  that  a decision  can  be  made  as  to  the 
acceptability  of  the  equipment.  The  engineering  development  (ED) 
prototypes  undergo  RDAT  and  DT/OT-II,  and  if  the  test  results  are 
favorable,  the  equipment  is  type  classified,  indicating  that  it  is  ready 
to  be  placed  into  the  inventory.  All  the  necessary  support  equipment 
and  documentation  must  now  be  finalized.  Even  at  this  stage,  tradeoffs 
among  stated  operational  requirements,  cost,  schedule,  and  operational 
readiness  data  are  conducted  with  the  design-to-unit-production-cost 
(DTUPC)  figure  as  the  controlling  parameter.  The  main  reason  for  using 
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cost  as  the  controlling  parameter  is  that  cost  can  be  quantized  and 
measured  very  easily.  However,  it  is  not  always  possible  to  accurately 
predict  cost  over  the  lifetime  of  a system. 

In  the  final  phase,  there  are  usually  an  initial  production  run 
and  an  RDAT  and  DT/OT-III  before  full-scale  production.  After 
production  and  deployment,  maintenance  and  product  improvements  become 
the  critical  issues. 

2 . 2 Design  to  Cost 

Up  to  this  point,  we  have  glossed  over  the  concept  of  Design  to 
Cost  (DTC) . The  DTC  philosophy  is  to  manage  and  control  the  DTUPC  by 
adequate  research  and  development  efforts  in  the  preproduction  phases. 
In  general,  this  requires  more  time  and  more  dollars  (15  to  20  percent 
more) , especially  in  the  conceptual  and  validation  phases.  The  payoff 
is  that  some  investments  have  been  shown  to  reduce  the  DTUPC  up  to 
80  percent.  The  reason  for  this  potential  savings  is  that  changes 
brought  on  by  identifying  deficiencies,  modifying  performance 
requirements,  or  chasing  technology  late  in  the  development  program  are 
very  expensive  from  the  engineering,  tooling,  and  hardware  aspects — that 
is,  the  nonrecurring  costs.  To  assist  in  this  DTUPC  concept,  some 
contracts  contain  incentives  for  the  contractor  to  produce  cost-savings 
ideas. 


There  are  several  problems  with  this  concept  and 
implementation.  Instead  of  DTUPC,  the  goal  should  be 
design-to-life-cycle  costs.  This  is  recognized  as  a laudable  goal  in  DA 
Pamphlet  11-25  (LCSMM  for  Army  Systems,  p.  45)  , and  the  reliability 
community  feels  it  can  be  achieved,*  but  in  practice,  DTUPC  dominates. 
Performance  tradeoffs  are  too  likely  to  be  made  under  DTUPC,  where  unit 
production  cost  is  the  dominant  factor.  This  may  seriously  impact  the 
maintenance  and  logistics  problems  of  fielded  equipment.  In  the  absence 
of  design-to-life-cycle  cost  constraints,  contractors  are  likely  to  make 
proposals  that  are  optimistically  priced,  often  based  on  the  benefits  of 
advanced  technology  or  custom-built  integrated  circuits  (IC*s).  But 
without  life-cycle  cost  data,  the  costs  inherent  in  such  proposals  can 
be  much  higher  than  those  indicated  by  unit  production  costs. 


*A  member  of  the  Army  Electronics  Command  Reliability  group  cited 
these  figures:  a 20-percent-cost  impact  in  development  and  production 
costs  for  piece  part  and  design  could  save  up  to  five  times  the  invested 
dollars  in  lifetime  maintenance  costs.  Joseph  B.  Brauer  from  RADC 
expressed  it  another  way — in  development  it  might  cost  $2  to  detect  and 
fix  a defective  part.  In  the  field,  the  detection  and  fix  might  cost 
$500. 
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Contractor  incentives  also  are  likely  to  reduce  the 
reliability.  This  follows  from  the  fact  that  in  practice,  the  PM  has 
the  final  say  on  the  matters  that  ultimately  impact  system  reliability 
and  nuclear  survivability.  What  this  means  is  that  even  though  the  PM 
has  an  engineering  staff,  in  many  cases,  reliability  engineers  and  nu- 
clear survivability  experts  are  not  on  the  PM  staff.  (We  know  of  no 
formal  requirement  or  guidance  on  the  inclusion  of  reliability*  or 
nuclear  survivability  experts  on  the  PM  staff.)  This  limitation  often 
does  not  deter  a PM  from  accepting  contractor  recommendations  concerning 
piece-part  selection  and  circuit  design  that  can  impact  both  reliability 
and  survivability.  It  is  very  unlikely  that  the  reviewing  committee 
(namely,  the  In-Process  Review,  Army  Systems  Acquisition  Review  Council, 
or  Defense  Systems  Acquisition  Review  Council)  would  be  made  aware  of 
kinds  of  tradeoffs  on  the  piece-part  and  circuit  level  that  the  PM  has 
made . 


The  classic,  yet  common,  example  of  the  problem  cited  above  is 
the  use  of  contractor-specified  semiconductor  piece  parts  in  place  of 
military  standard  parts.  Traditionally,  the  contractors  have  found  it 
easy  to  obtain  waivers  based  on  the  cost  and  availability  of  military 
standard  parts.  The  difficulty  with  this  approach  is  that  although 
production  costs  may  be  lowered,  reliability,  maintenance,  and  logistics 
may  bear  the  burden  of  this  move.  In  fact,  production  costs  usually 
increase  when  commercial  devices  are  used  throughout,  because  after 
initial  production,  serious  problems  occur  requiring  additional  work  and 
testing.  The  cost  for  this  extra  work  is  typically  two  to  five  times 
the  total  parts  cost.  As  an  example,  the  Air  Force  Rome  Air  Development 
Center  (RADC)  traced  failures  to  several  commercial  IC*s.  The  extra 
cost  to  rework  the  IC*s  was  $6.74  per  IC.  A JAN  replacement  was  found 
for  only  $2.47  per  device. 

Another  not  so  obvious  example  is  the  following.  The  initial 
performance  criteria  of  a circuit  can  be  met  by  using  a capacitor  rated 
for  20  V in  such  a way  that  20  V or  more  is  applied  across  it. 
However,  the  lifetime  of  this  device  is  seriously  affected  because  of 
this  underdesign.  Good  reliability  engineering  practice  calls  for  an 
overdesign  factor  of  two  in  capacitor  voltages  to  insure  the  maximum 
capacitor  lifetime.  The  point  is  that  piece-part  cost  or  volume  could 
be  the  desired  traits,  while  the  reliability  consideration  may  be 
unwittingly  sacrificed. 


*The  suggestion  is  made  in  AR  70-17 , System/Project  Management 
(16  June  1975),  para.  2-lb(9) , that  among  authorized  PM  staff  might  be 
Reliability , Acceptability,  Maintainability  personnel. 
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Yet  another  problem  is  the  inadequate  allowance  of  time  and 
dollars  in  the  preproduction  stages  to  allow  the  DTC  philosophy  to  work 
properly.  There  is  no  point  in  speculating  why  this  condition  can  and 
does  exist.  Nevertheless,  DTC  can  and  does  work  when  qiven  the  proper 
conditions  and  valid  cost  data,  and  DTC  can  add  support  to  both  reli- 
ability and  nuclear  survivability  requirements. 

2 . 3 The  Project  Manager  and  Contractor  Viewpoints 

Another  barrier  to  logical,  effective  program  management  is  the 
nature  of  the  PM  position  within  the  Army.  In  most  if  not  all 
instances,  the  PM  is  military.  Even  though  the  Army  policy  is  that  the 
PM  position  is  to  be  considered  a select  career  assignment,  some 
officers  feel  that  a PM  assignment  is  a mixed  blessing  and  a risky 
assignment  for  career  purposes.  The  Army  is  working  to  counteract  these 
attitudes.  Assume  that  this  factor  by  itself  is  not  a barrier  to 
effective  management.  The  PM  position  is,  like  other  assignments, 
military  or  civilian,  in  part  a means  of  getting  a promotion.  The 
measurable  "success  factors"  are  cost  and  schedule  goals.  This  position 
is  mainly  caused  by  management  preoccupation  with  these  factors.  This 
position  is  borne  out  by  the  fact  that  up  to  this  time  there  were  no 
plans  to  determine  reliability  performance  in  the  field.  This  fact  was 
a problem  for  the  logistics  people  or  the  basis  for  a product 
improvement. 

On  the  other  hand,  the  contractor  performs  an  economic  analysis 
to  assess  the  tradeoffs  that  lead  to  maximum  profit.  Next  to  profit  in 
importance  to  the  contractor  is  performance.  No  known  contracts  have 
been  terminated  for  cost  or  scheduling  violations,  but  some  contracts 
have  been  terminated  for  lack  of  critical  performance  characteristics. 
In  all  fairness,  it  is  best  to  mention  that  fixed  fees  have  been  lost 
due  to  cost  overruns.  Nonetheless,  the  Army  has  established  the 
precedent  of  accepting  equipments  that  have  not  met  the  reliability 
requirements  when  the  principal  operational  requirements  are  met. 

2 . 4 Military  Standards  and  Specifications 

It  is  a matter  of  record  that  poor  reliability  is  associated 
with  many  military  equipments.^  In  spite  of  this  poor  record,  the  Army 
apparently  has  no  way  of  accumulating  data  from  the  field  to  find  the 
exact  causes  or  trends  that  influence  materiel  reliability.  Meanwhile, 
the  reliability  community  has  been  trying  to  cope  with  this  problem  by 
emphasizing  the  manufacture  and  production  of  reliable  semiconductor 
piece  parts.  Here  is  where  military  standards  and  specifications  can  be 

1//.  P.  Gates,  B.  S.  Gourary,  et  al , Electronics  X:  A Study  of 
Military  Electronics  with  Particular  Reference  to  Cost  and  Reliability , 
Vol.  2:  Complete  Report,  DARPA  R-195,  Institute  for  Defense  Advanced 
Research  Projects  Agency , AD-A001065  (January  1974) . 
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important*  But  reliable  systems  do  not  depend  only  on  piece-part 
selection.  It  is  absolutely  essential  that  this  be  coupled  with  good 
circuit  design  practices.  Little  useful  military  documentation  exists 
to  provide  guidance  on  circuit  design,  specifically  in  the  area  of  piece 
part  derating  factors,  which  is  an  important  facet  of  reliable  design. 

There  is  available  to  the  PM  a vast  array  of  documents  to  help 
him  and  the  contractor  sort  out  the  proper  approach  to  reliability. 
Particularly  in  the  late  1960’s,  military  (i.e.,  tri-Service)  standards, 
specifications,  and  handbooks  relating  to  the  reliability  considerations 
for  electronic  equipment  began  to  be  recognized  for  their  potential 
influence  on  the  reliability  problem.  Two  of  these  documents  are 
particularly  important  to  the  reliability  and  survivability  aspects  of 
the  semiconductor  device  technology.  These  are  MIL-S-19500  (the 
specification  document  for  discrete  transistors  and  diodes)  and 
MIL-M-38510  (the  specification  for  IC*s).  These  specifications  treat 
the  mechanical  and  electrical  parameters  of  qualified  parts,  production 
assurance  measures,  and  lot  acceptance  techniques  that  are  designed  to 
lead  to  producible,  predictable,  and  uniform  devices.  Both  of  these 
dociiments  are  being  updated  to  reflect  the  latest  thinking  on  semi- 
conductor reliability. 

A related  document,  MIL-STD-701H,  indicates  that  military 
equipment  should  be  built  from  military-qualified  parts.  But  an  obvious 
evolution  in  thinking  has  taken  place  over  the  years;  under  the  heading 
of  MIL-S-19500E  (1968) , it  was  stated  that,  "This  specification  is 
mandatory  [italics  ours]  for  use  by  all  Departments  and  Agencies  of 
DoD."  In  the  following  supplements  and  amendments  to  MIL-S-19500  and  in 
MIL-M-38510A  (1972),  the  citation  reads,  "This  specification  is  approved 
[italics  ours]  . . . ." 

For  putting  together  the  contract  package,  at  least  two 
standards  can  be  used  to  assist  in  the  reliability  engineering  of  a 
system.  MIL-STD-701  lists  the  diodes  and  transistors,  and  MIL-STD-1562 
lists  the  microcircuits  that  are  approved  for  use.  Military 
specifications  and  standards  are  binding  only  if  they  are  cited  in  the 
procurement  package.  Even  when  these  and  similar  doc\iments  are  cited, 
approval  of  nonstandard  parts  is  easy  to  obtain  in  actual  practice, 
since  the  approving  official  is  the  PM,  and  he  is  influenced  mostly  by 
the  cost  and  availability  problems  associated  with  military  standard 
parts.* 


The  assumption  in  requiring  the  use  of  military  standard 
parts  is  that  reliability  is  an  inherent  quality  of  these  parts.  This 
assumption  is  not  always  correct.  If  the  parts  are  made  to  the 


*The  requests  must  be  formalized  through  MIL-STD-7498 , Military 
Preparation  and  Submission  of  Data  for  Approval  of  Non-Standard  Parts. 


10 


specifications  and  the  lot  acceptance  tests  are  performed  according  to 
MIL-STD-883  (IC* *s)  or  MIL-STD-750  (discretes),  the  assumption  of 
reliability  is  good  when  adequate  circuit  design  margins  are  used. 
However,  there  exist  some  data^  within  the  reliability  community  that 
demonstrate  that  the  semiconductor  vendors  have  not  been  living  up  to 
their  side  of  the  bargain  even  though  they  certified  their  compliance  to 
the  standards  and  specifications.  In  the  hopes  of  improving  the  reli- 
ability of  communications  electronics,  the  Army  Electronics  Command 
(ECOM)  began  requiring  contractually  that  the  prime  contractor  deliver 
to  the  Government  traceable  data  that  could  be  used  to  verify  that  the 
lot  acceptance  tests  were  performed.  Much  to  their  chagrin,  ECOM  soon 
found  that  the  vendor  charge  for  these  data  was  inordinate.  Now  ECOM 
requires  these  data  for  "critical”  piece  parts  only.  Who  defines  these 
critical  parts  for  each  system  is  not  known,  perhaps  the  contractor. 
This  is  a step  in  the  right  direction,  but  not  without  problems. 

2.5  Hardness  Assurance  Subcommittee 


In  the  revised  version  of  MIL-S-19500F  now  being  circulated  for 
coordination  and  approval,  in  addition  to  updating  the  criteria  and 
tests  in  19500E,  process  controls  are  being  added.  This  addition  means 
that  the  vendor  has  to  make  the  device  using  certain  approved 
techniques.  Changes  in  these  processes  are  made  only  at  the  discretion 
and  approval  of  the  Government.  Process  controls,  if  acceptable  to  the 
Government  and  the  vendors,  would  be  a significant  step  in  controlling 
not  only  the  reliability,  but  also  the  nuclear  response  of  semiconductor 
piece  parts,  since  the  product  would  be  more  uniform.  A subcommittee 
composed  of  Government  and  industrial  experts*  is  working  to  iron  out 
the  details  of  qualifying,  testing,  and  controlling  the  nuclear  response 
of  discrete  and  IC  semiconductors.  Their  success  will  in  large  measure 
depend  on  the  acceptability  of  the  concept  of  process  controls. 


Specifically,  this  subcommittee  is  considering  specifying  the 
nuclear  induced  response  of  a limited  (or  preferred)  list  of  piece  parts 
(approximately  50  discretes  and  50  to  100  IC*s).  The  nuclear 
environments  to  be  considered  are  neutrons,  ionizing  radiation,  ionizing 
dose  rate,  nuclear  EMP- induced  voltages  and  currents,  and 
thermomechanical  stresses.  The  concept  being  studied  now  is  to 
experimentally  determine,  from  a statistically  significant  sample  of 
device  types  from  various  manufacturers,  the  change  in  the  appropriate 
device  parameters  (e.g.,  beta  or  gain  for  neutron  effects,  photocurrent 

K.  Church,  Reliability/Field  Failure  Experience  with 
Microelectronic  Devices,  Naval  Ammunition  Depot  (NAD),  Crane,  IN, 
Proceedings  Solid  State  Device  Reliability  WorJcshop,  Ser  16-033  (24  July 
1972),  249. 

*The  Hardness  Assurance,  Military  Parts  Standardization  Subcommittee 
on  the  NASA-SAMSO  Space  System  Reliability  Committee . 
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for  dose  rate) . The  device  response  could  be  expressed  as  a damage 
threshold  or  a damage  constant.  This  in  turn  can  be  related  to  changes 
in  the  appropriate  device  parameter  over  a specified  linear  range  of  the 
degrading  environment.  For  example,  Ipp  = Kpy , where  Ipp  is  the 
geunma-induced  device  photocurrent,  Kp  is  the  experimentally  determined 
damage  constant,  and  y is  the  gamma  radiation  peak  dose  rate. 

Over  the  next  year,  this  si±)committee  hopes  to  work  out  the 
details  of  (1)  dosimetry  and  simulation  facility  selections,  (2) 
simulation  test  methods  and  procedures,  (3)  piece-part  parameter 
specifications,  (4)  production  process  controls,  (5)  lot  acceptance 
tests,  and  (6)  periodic  requalification  of  the  vendor  process  and 
product. 


Again,  good  as  this  approach  sounds,  there  are  some  basic 
shortcomings.  In  theory,  reliability  and  nuclear  survivability 
considerations  should  be  applied  beginning  in  the  conceptual  phase.  In 
practice,  through  at  least  the  validation  prototype  development,  only  a 
few  military-qualified  parts  are  now  used.  This  is  an  essential  part  of 
the  reliability  growth  concept^  for  which,  in  each  phase  of  the  program, 
the  reliability  is  supposed  to  improve.  Therefore,  the  reliability  and 
nuclear  survivability  tests  and  predictions  will  not  be  realistic  until 
the  piece  part  list  is  firm  and  based  on  the  maximum  use  of  military 
standard  parts.  (For  Army  field  equipment,  this  is  never  expected  to  be 
100  percent  and  is  currently  50  to  75  percent.) 

Two  drawbacks  exist  to  the  reliability-growth  concept.  The 
first  is  that  if  the  decision  to  use  military-qualified  devices  is  put 
off  until  the  validation  or  full-scale  production  phases,  the  PM  is  more 
likely  to  refuse  the  proposed  changes , no  matter  how  small  the  cost 
increase  is.  The  second  drawback  is  that  if  militairy-qualif ied  parts 
are  not  insisted  on  early  enough,  contract  renegotiations  may  be 
unavoidable . 

2.6  Semiconductor  Device  Classes 


The  assumption  that  the  expected  reliability  of  militairy 
standard  (Joint  Army-Navy  or  JAN)  parts  is  better  than  commercial  parts 
has  been  borne  out  by  the  available  data.  But  MIL-S- 19500  and 
MIL-M-38510  provide  for  more  than  one  class  of  device,  because  these 
general  specifications  satisfy  the  needs  of  a broad  spectrum  of  users. 
The  equivalent  designations,  reliability  figures,  and  cost  are  listed  in 
table  I. 


^AR  702-3,  Army  Materiel  Reliability,  Availability,  and 

Maintainability  (15  May  1973). 
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TABLE  I- 

RELATIVE  FAILURE 
OF  DEVICES 

RATES  AND  ITEM  COSTS 

FOR  VARIOUS  CLASSES 

Device  classes 

Approximate  relative 
failure  rate^ 

Relative  cost  per  gate^ 

Captive  line 

product  (nonstandard) 

<1 

30  to  100 

MIL-S-19500 

(MIL-M-38510) 

JANA 

(A) 

1 

5 to  15 

JANTX 

(B) 

2 to  10 

2 to  5 

JAN 

(C) 

16 

1 

Commercial  product  (nonstandard) 

30  to  150 

0.2  to  0.5 

^Joseph  B.  Brauer,  The  Development  and  Status  of  MlL-STD-88  3 and  MIL-M- 38510  ^ Rome 
Air  Development  Center  fn,d,J. 


More  often,  the  designer  and  the  PM  are  exposed  to  the  data  of 
the  last  column,  i.e.,  the  cost,  without  appreciating  the  relative 
reliability  figures  in  column  3.  Naturally,  they  would  conclude  that 
anything  more  than  a commercial  part  would  at  least  double  the  UPC. 
Information  available  from  RADC  indicates  that  only  5 to  10  percent  of 
the  UPC  for  ground  equipment  is  in  the  piece  parts.  Therefore,  the  use 
of  class  B or  JANTX  parts  compared  with  commercial  parts  would  be 
expected  to  impact  the  UPC  by  25  to  50  percent.  However,  in  actual 
practice,  the  impact  is  typically  closer  to  10  to  20  percent.  What  this 
buys  is  a very  significant  improvement  in  the  piece-part  failure  rate, 
a factor  of  15  to  75.  In  addition,  the  cost  may  be  completely  offset  by 
savings  in  rework  and  retest  which  generally  range  from  10  to  40  percent 
of  the  manufacturing  cost. 

MIL-M-38510  and  MIL-S-19500  list  the  types  of  inspections  and 
tests  that  must  be  performed  on  the  various  classes  of  devices  (to  sort 
out  the  suspect  and  defective  parts) . Both  specifications  list  a Lot 
Tolerance  Percent  Defective  (LTPD)  table.  Given  the  part  reliability 
figure,  this  matrix  is  used  for  selecting  the  minimum  number  of  devices 
that  must  be  sampled  in  a given  lot  size  and  the  number  that  must  pass 
the  specified  test.  In  the  case  of  devices  with  a desired  reliability 
figure  of  95  percent  (LTPD  = 5 percent)  with  90  percent  confidence,  the 
minimum  sample  size  is  45  with  no  rejections  allowed,  77  with  one 
rejection  allowed,  105  with  two  rejections,  and  so  on. 

Piece-part  reliability  is  related  to  system  level  mean  time 
between  failure  (MTBF) , mean  time  to  repair,  and  equipment  availability 
by  a series  of  generally  simplified  assumptions  and  formulas.  More 
often  than  not,  the  system  level  specifications  are  not  validated  either 
through  careful  monitoring  of  the  semiconductor  vendor  tests  on  the 
piece  parts  or  by  tests  of  statistically  significant  numbers  of 
equipments.  In  fact,  the  sample  size  of  the  equipments  tested  is  an 
inverse  function  of  the  system  cost. 
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No  mention  is  made  in  any  DoD- level  document  of  the  use  of  the 
various  classes  of  JAN  parts.  In  practice,  informed  designers  prefer  to 
use  class  B or  JANTX  parts* *  in  the  validation  and  full-scale  development 
phases.  These  provide  a good  reliability  figure  at  a modest  cost.  In 
fact,  ECOM  requires  waivers  for  the  contractor  to  use  class  C (JAN)  or 
commercial  devices  (because  of  their  lower  reliability)  or  to  use  class 
A (JANA)  devices  (because  of  their  higher  cost) . ^ However,  the  burn-in 
requirements  for  class  B or  JANTX  devices  can  cause  availability  and 
cost  problems  in  the  production  phase,  and  waivers  at  this  stage  often 
lead  to  commercial  devices,  but  not  to  JAN  or  class  C devices,  because 
it  appears  that  the  design  engineers  are  far  removed  from  these 
decisions.  However,  the  availability  problem  of  class  B or  JANTX  parts 
is  more  apparent  than  real,  since  the  parts  require  only  a 1-wk  (168  hr) 
burn-in  time  plus  time  for  testing.  Some  of  these  parts  are  available 
off  the  shelf.  The  cost  for  class  B and  JANTX  parts  would  be  lower  if 
more  were  employed. 

2.7  Reliability  of  the  System 

Through  the  ED  prototype  phase,  inadequate  tests  and  imprecise 
calculations  tend  to  characterize  the  reliability  aspects  of  program 
development.  But  these  tests  and  analyses,  whatever  their  quality  and 
quantity,  end  at  DT/OT-III.  For  the  production  phase  of  the  reliability 
program,  quality  assurance  techniques  are  assumed  adequate  to  preserve 
the  reliability  figure,  and  therefore,  reliability  of  production  line 
equipments  is  tested  only  in  the  field.  The  quality  assurance 
techniques  are  controls  and  inspections. 

Current  emphasis  within  the  developing  community  is  the  use  of 
commercial  off-the-shelf  equipments.  This  approach  is  justified  by  both 
reliability  and  cost.  Reliable  commercial  systems  have  evolved  without 
the  need  for  military-specified  parts,  because  the  production  has 
continued  over  many  years  without  significant  product  changes,  and  this 
continuation  was  backed  by  good  data  from  the  field  on  failure  modes. 
This  evolution  led  to  an  optimum  combination  of  piece  parts,  circuit 
design,  derating  factors,  and  cost.  The  most  reliable  equipments  were 
found  to  be  made  with  the  equipment  manufacturers*  own  production-line 
semiconductor  parts,  wherein  they  could  assure  the  uniformity  of  the 
products.  When  commercial  off-the-shelf  items  are  procured,  sufficient 
historical  data  should  exist,  i.e.,  get  items  that  are  field  proven,  not 
those  that  just  recently  commenced  production.  In  addition. 


^ ECOM  specification  MIL-P-11268 , Parts,  Materials,  and  Processes 
Used  in  Electronic  Equipment . 

*These  parts  are  burned  in  at  high  voltage  and  temperature  stresses 
to  weed  out  the  weak  parts. 
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modifications  should  be  avoided,  since  they  alter  the  status  of  the 
equipment  such  that  it  can  no  longer  be  considered  the  same  field-proven 
equipment.  Also,  one  must  be  careful  not  to  confuse  off-the-shelf 
designs  with  hardware,  because  the  former  have  no  field  history  on 
reliability. 

This  is  an  opportune  place  to  reflect  on  what  has  been  said  so 
far.  First,  in  practice,  reliability  is  subjugated  to  cost  and  schedule 
goals.  Second,  military  hardware  development  programs  have  often  chased 
technology  and  changed  performance  requirements  throughout  the 
development  cycle.  Both  of  these  practices  are  contrary  to  good 
reliability  practices.  Third,  adequate  documentation  (regulations, 
standards,  and  specifications)  may  exist,  but  all  too  often  these  proven 
procedures  are  not  followed. 

2 .8  Nuclear  Survivability 

The  discussions  above  have  centered  on  the  models,  technology, 
aids,  and  problems  of  reliability  requirements.  The  nuclear 
survivability  criteria  application  to  system  development  has  an  even 
rockier  road  to  travel.  There  is  little,  if  any,  formal  documentation 
(regulations,  standards,  and  specifications)  to  lay  out  a road  map  for 
the  system  developer.  The  DNA  Handbooks  are  available  for  the  equipment 
designers,  but  they  are  formidable  piles  of  paper  for  the  designer 
without  previous  experience  in  nuclear  survivability  design.  These 
problems  are  currently  being  addressed  at  HDL.  But  the  lack  of  the 
appropriate  documentation  is  a good  reason  or  excuse  for  unhardened 
equipment  in  the  inventory. 

A substitute,  although  not  a good  substitute,  is  nuclear 
survivability  design  expertise  early  in  the  development  cycle.  As  in 
the  case  of  reliability,  advice  on  hardening  considerations  often  is  not 
sought  until  the  whistle  is  blown,  i.e.,  when  somebody  recognizes  late 
in  the  development  cycle  that  nothing  has  been  done  about  the  nuclear 
requirement.  At  this  time,  the  cost  and  schedule  impacts  can  be  quite 
serious  and  may  result  in  a decision  to  waive  the  nuclear  requirement  or 
reduce  it  to  the  level  at  which  hardware  can  meet  the  requirement 
without  modifications. 

For  the  most  part,  the  nuclear  survivability  requirement 
associated  with  tactical  equipments  can  be  treated  with  a modest  effort 
and  low  cost  if  considered  from  the  time  of  the  conceptual  phase.  The 
estimate  for  the  SAM-D  system  was  on  the  order  of  3 percent  R&D  cost 
impact  for  balanced,  man-limited  nuclear  survivability.  However,  the 
tradeoffs,  design,  and  validation  must  be  performed  with  the  support  of 
experienced  Government  or  contractor  personnel  or  both. 
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Our  experience  has  been  that  when  the  contractor  had  the 
nuclear  expertise  available,  his  cost  estimates  were  reasonable,  and  the 
hardness  was  achieved.  The  problem  is  with  the  unknowledgeable 
contractor,  since  estimates  of  the  cost  for  nuclear  hardening  are  quite 
often  inordinate.  This  problem  alone  has  been  the  overriding  cause  of 
the  cancellation  of  nuclear  survivability  requirements  for  tactical 
systems  with  modest  criteria.  This  response  of  the  unknowledgeable 
contractor  is  to  be  expected  since  he  is  unsure  of  his  capability  to 
solve  the  problem  and  most  likely  has  to  include  learning  costs  or 
subcontract  for  expertise.  Here  is  where  suitable  documentation  could 
possibly  provide  sufficient  insight  and  understanding  of  the  nuclear 
hardening  requirements.  Unfortunately,  the  closest  approach  to  such 
documents  is  the  DNA  Handbooks.  However,  they  are  much  too  long.  They 
discuss  measures  of  hardening  for  all  survivability  levels,  and  they 
cannot  keep  up  with  the  state  of  the  art.  What  is  required  is  something 
concise  and  to  the  point,  applicable  to  the  specific  criteria  of 
concern,  and  current. 

2.9  Association  between  Nuclear  Survivability  and  Reliability 

The  nuclear  effects  on  electronic  piece  parts  for  the  tactical 
survivability  criteria  are  generally  confined  to  the  semiconductor  parts 
(i.e.,  diodes,  transistors,  and  IC*s).  It  is  rare  that  a specially 
hardened  semiconductor  device  is  required  to  produce  tolerable  responses 
in  a system  with  these  modest  criteria  when  survivability  is  designed 
into  the  system  from  the  start.  However,  there  are  many  semiconductor 
devices  whose  nuclear  responses  are  far  more  favorable  than  others  for 
survivable  designs.  The  key  is  to  select  these  less  susceptible  parts 
and  couple  survivivability  with  the  proper  circuit  design. 

No  military  standard  or  specification  can  be  associated  with 
nuclear  survivability.  Rough  calculations  of  the  piece-part  response 
can  be  made  based  on  some  device  parcimeters  (e.g.,  minimum  gain, 
gain-bandwidth  product  f^) . When  the  device  parameters  used  for  nuclear 
response  determinations  are  controlled  parameters  and  are  designated  as 
such  in  the  appropriate  military  specifications,  then  nuclear 
survivability  begins  to  resemble  reliability  by  the  nature  of  the 
controls  imposed.  The  Hardness  Assurance  Subcommittee  is  evaluating  the 
device  parameters  and  process  controls  necessary  to  control  and  predict 
the  device  response  as  a possible  approach  to  nuclear  survivability. 
However,  piece-part  response  is  not  the  whole  story.  Circuit  design 
considerations,  hardness  assurance  controls,  and  verification  of 
survivability  are  also  essential  ingredients  to  a sound  nuclear 
survivability  program. 
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In  general,  reliability  and  nuclear  survivability  tend  to 
follow  the  same  trend  because  both  require  controls.  However,  these 
controls  are  not  necessarily  the  same  for  both  problems.  An  example  of 
the  differences  is  in  the  f^  requirement.  Low  frequency 
minority-carrier  devices  are  in  general  more  susceptible  to  neutron 
damage  than  high  frequency  ones.  However,  the  reliability  of  a device 
is  not  dependent  upon  f^ , but  rather  on  many  other  parameters 
controlled  by  the  military  standards  and  specifications. 

2.10  Nuclear  Radiation  Effects  on  Electronics 


The  primary  degrading  effect  of  neutrons  is  a reduction  of 
minority-carrier  lifetime  in  bipolar  transistors.  This  causes  a 
reduction  in  gain,  an  increase  in  saturation  voltage,  and  an  increase  in 
leakage  current.  In  analog  IC*s,  this  usually  results  in  some  loss  in 
device  gain,  a reduction  in  gain-bandwidth  product,  and  changes  to  the 
input  offset  voltage.  In  addition,  the  device  may  no  longer  be  able  to 
drive  a heavy  load.  In  digital  IC's,  fanout  is  reduced,  because  the 
changes  in  the  output  transistor  parameters  reduce  the  maximum  current 
that  the  device  can  sink.  In  addition,  the  HIGH  and  LOW  voltages  may 
degrade  somewhat  so  that  the  protective  voltage  difference  (guaranteed 
noise  voltage  margins)  between  the  two  levels  is  reduced.  Thus,  the 
circuit  may  be  vulnerable  to  logical  changes  in  state  caused  by  smaller 
noise  signals  than  before  irradiation. 

The  piece-part  reliability  and  neutron  response  require  control 
of  different  parameters.  However,  on  a circuit  level,  the  two 
requirements  are  more  closely  related.  For  example,  to  insure  the 
reliability  figure,  large  derating  factors  may  be  used  so  that  less 
power  is  dissipated  in  the  transistors  and  larger  variations  in  the 
ageing  of  piece  parts  can  be  tolerated. 

The  total  ionizing  dose  effects  on  electronics  at  the  levels  of 
interest  to  field  Army  equipments  are  generally  limited  to  IC  latchup. 
This  phenomenon,  which  can  occur  at  very  low  doses  but  only  for  high 
dose  rates,  affects  both  complementary  metal  oxide  semiconductors  (CMOS) 
and  junction-isolated  bipolar  IC*s.  The  occurrence  of  latchup  in 
bipolar  IC*s  is  relatively  rare.  On  the  other  hand,  bulk  silicon  CMOS 
devices  appear  to  be  plagued  with  this  problem.  Unfortunately,  these 
technologies  comprise  the  bulk  of  the  IC*s  being  manufactured  today,  and 
avoiding  them  is  not  a viable  solution.  There  are  special  manufacturing 
techniques  available  for  avoiding  latchup  in  CMOS,  even  at  very  high 
dose  rates. ^ Among  these  techniques  are  gold  doping,  dielectrically 
isolated  substrates,  mask  layout  design,  and  even  neutron  irradiation. 


^B.  L,  Gregory  and  B,  B,  Shafer,  Latchup  in  CMOS  Integrated  Circuits , 
IEEE  Transactions  on  Nuclear  Science,  NS-20,  No,  6 (Decewber  1973), 
293-299. 
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The  goal  is  either  to  reduce  the  minority  carrier  lifetimes  so  that  all 
possible  gain  products  between  parasitic  NPN  and  PNP  transistor 
pairs  are  less  than  unity  or  to  isolate  the  layers  so  that  no  SCR-like 
action  is  possible.  A possible  solution  for  latchup  in  the  case  of  the 
standard,  unhardened  CMOS  is  to  isolate  the  IC  from  the  power  supply  by 
the  addition  of  a small  series  current-limiting  resistor.  It  is  unclear 
as  to  whether  this  is  a universal  solution,  and  if  it  is  not,  avoidance 
of  CMOS  would  be  advisable.  Since  latchup  in  junction-isolated  bipolar 
IC’s  is  infrequent,  response  data  on  the  specific  device  type  is 
required.  Reliability  considerations  alone  would  not  preclude  the  use 
of  these  susceptible  devices.  However,  once  these  susceptible  devices 
are  identified,  controls  like  those  available  to  the  reliability 
engineers  are  necessary  to  keep  these  susceptible  devices  out  of 
survivable  system  designs. 

The  only  other  significant  total  dose  effect  at  tactical  system 
survivability  levels  is  the  degradation  of  lasers.^  Doses  of  a few 
hundred  rads  (Si)  have  been  shown  to  alter  the  threshold  for  lasing  in 
some  materials.  This  change  leads  to  cessation  of  lasing  action  or  loss 
of  output  power.  This  effect  can  be  mitigated  by  operating  the  laser 
well  above  the  threshold.  In  this  case,  the  only  effect  is  that  the 
laser  power  is  degraded.  Where  power  consumption  is  critical,  the 
system  operating  point  is  designed  to  be  near  the  lasing  threshold 
(e.g.,  in  a man-pack  laser  range  finder,  the  margin  might  be  less  than 
10  percent) . Our  information  leads  us  to  believe  that  for  reliability, 
the  same  philosophy  would  apply,  since  lower  operating  voltages  on 
capacitors  and  less  power  dissipated  in  flash  lamps  imply  longer  part 
lifetimes.  The  implication  is  that  where  power  consumption  or 
reliability  dominates  the  laser  system  design,  the  nuclear  response  of 
the  system  is  more  likely  to  be  a problem. 

The  nuclear  dose  rate  effects  are  transient  false  signals, 
device  burnout,  magnetic  logic  upset,  and  reversible  and  irreversible 
changes  of  state.  In  general.  Army  equipments  do  not  have  an 
operate-through  requirement  for  nuclear  survivability.  Therefore, 
transient  false  signals  and  logic  upsets  can  be  compensated  for  (e.g., 
the  bad  data  can  be  discarded,  or  a retransmission  of  a message  can  be 
requested,  and  a way  to  reestablish  stored  information  can  be  provided). 
In  most  military  equipments,  logic  upset  is  provided  for,  since  the 
commonly  occurring  power  transients  and  outages  can  produce  the  same 
effect. 


J.  Halpin,  A Progress  Report  on  the  Transient  Radiation  Effects 
on  Laser  Materials  FY*71,  NRL  Memorandum  Report  2337 , Naval  Research 
Laboratory  (30  June  1971). 


18 


Semiconductor  burnout  in  discretes  and  IC*s  is  strongly 
associated  with  reliability  considerations  and  good  design  practice. 
There  are  two  types  of  burnout:  metallization  and  thin  conductor 
burnout  and  junction  burnout.  Both  types  are  caused  by  the  large 
currents  induced  in  the  circuit  by  the  gamma  pulse  or  coupled  from  the 
external  or  system-generated  (internal)  BMP.  Most  metallization 
burnouts  are  due  to  defective  metallization,  which  can  be  avoided  by 
proper  reliability  methods.  Another  major  consideration  is  good  design 
practice.  To  preclude  generation  of  currents  capable  of  burning  out  the 
metallization  or  junction,  it  is  necessary  to  properly  isolate  the  piece 
part  from  its  primary  source  of  current,  i.e.,  its  power  supply.  Proper 
isolation  is  normally  achieved  with  limiting  resistors.  This  is  not 
found  in  nonnuclear  survivable  designs. 

Many  dose  rate  effects  fall  into  the  reversible  and 
irreversible  categories.  For  example,  silicon  controlled  rectifiers 
(SCR*s)  are  triggered  by  the  transient  gamma  pulse  and  can  be  reset  only 
by  removing  primary  power  to  them.  Power  supplies  designed  to  shut  down 
when  an  overcurrent  or  overvoltage  is  sensed  are  reversible  events  if 
they  are  easily  reset.  Semiconductor  burnout  is  one  example  of  an 
irreversible  action  produced  by  the  transient  gamma  pulse.  Other 
examples  are  nonresettable  timers  that  may  be  started  by  a false  signal 
or  fuses  or  electrically  activated  squibs  that  may  be  destroyed  by  the 
false  signal  induced  by  the  gamma  pulse.  In  general,  there  are 
categories  of  devices  to  be  avoided  and  certain  circuit  design 
guidelines  to  be  followed  to  prevent  such  events  from  occurring,  many  of 
which  are  not  included  in  the  standard  practices  of  reliability 
engineering . 

The  BMP  response  of  a system  is  a complex  phenomenon  involving 
electromagnetic  coupling,  cross  coupling,  and  device  burnout-  Shielding 
of  cables,  cable  connectors,  and  electronic  enclosures  combined  with 
protection  devices  at  the  terminations  of  antennas,  cables,  and  other 
critical  entry  ports  are  the  commonly  applied  BMP  hardening  techniques. 
The  intent  is  to  reduce  as  much  as  possible  the  amount  of  BMP  energy 
coupling  into  a system  and  then  use  circuit  hardening  and  circumvention 
techniques  as  required  to  survive  the  effects  of  that  energy  that  does 
penetrate  to  the  circuit  and  device  level.  Electromagnetic 
compatibility  (EMC)  and  lightning  requirements  come  closest  to 
ameliorating,  but  not  solving,  the  BMP  problem.  Therefore,  normal 
reliability  considerations  associated  with  EMC  and  lightning  protection 
are  not  enough  to  protect  a system  against  BMP. 
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In  summary,  reliability  considerations  by  themselves  can  work 
contrary  to  nuclear  survivability  considerations  (e.g.,  laser  systems); 
they  can  work  in  consonance  with  nuclear  survivability  requirements 
(e.g.,  metallization  burnout,  transistor  piece-part  derating  in 
circuits);  and  these  two  requirements  can  be  unrelated  (e.g.,  latchup, 
semiconductor  piece-part  response  determinants,  metallization  or 
junction  burnout  current  limiting  requirements) . A generalized 
statement  might  be  that  nuclear  survivability  tends  to  be  aided  by  reli- 
ability considerations,  but  the  relationship  between  the  two  is  not  one 
of  dependency,  because  many  of  the  controlled  parameters  are  different 
for  the  two  problems.  However,  the  fact  that  parameters  are  controlled 
for  both  problems  constitutes  a major  similarity  between  solutions  of 
the  two  problems. 

The  final  item  for  consideration  is  the  effect  on  the  MTBF  due 
to  the  exposure  of  an  electronic  system  to  the  nuclear  TRE  and  EMP 
environments.  Assuming  that  the  system  survives  the  single-burst, 
nuclear  encounter,  the  electronic  systems  performance  is  most  likely 
degraded  somewhat  if  the  exposure  level  was  at  or  near  the  "typical" 
nuclear  survivability  requirements  for  tactical  systems.  The 
performance  degradation  results  from  piece-part  degradation.  The  net 
result  would  be  to  narrow  the  circuit  design  margins,  making  the  circuit 
more  sensitive  to  device  parameter  changes  due  to  normal  ageing  or  to 
the  increased  power  dissipated  in  the  device.  The  conclusion  is  that 
without  proper  consideration  to  the  nuclear  response  of  the  electronic 
system,  the  MTBF  is  expected  to  be  degraded.  The  extent  of  this  effect 
is  dependent  on  the  design  margins  in  the  circuits. 

The  effects  of  ageing  are  virtually  nonexistent  for  good 
quality  semiconductor  devices,  however.  In  addition,  the  effect  on  the 
MTBF  is  small  even  for  equipment  exposed  to  the  maximum  expected  nuclear 
environment.  The  effects  on  the  MTBF  over  the  inventory  of  equipments 
is  even  smaller  because  of  the  small  probability  of  exposure. 


3 . SUMMARY 

There  is  an  orderly  process  for  developing  reliable  and  nuclear  sur- 
vivable  equipment.  The  reliability  community  has  documented  the 
procedures,  controls,  and  management  insight  into  military  regulations, 
standards,  and  specifications.  The  nuclear  community,  however,  does  not 
have  this  type  of  supporting  documentation  that  the  users  and  developers 
find  most  useful.  However,  the  methodology  has  been  developed  and  used 
for  more  than  10  yr,  and  during  this  time,  systems  have  been  hardened  to 
much  higher  levels  than  Army  field  equipments  require.  Now,  HDL  is 
supplementing  the  nuclear  effects  documentation.  In  spite  of  the 
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existing  documentation,  the  logic  and  orderliness  are  often  perturbed  by 
pressures  and  priorities  that  subjugate  reliability  and  nuclear 
survivability  to  cost  and  schedule. 

For  any  important  performance  characteristic,  it  is  necessary  to 
have  expert  advice  from  the  conceptual  phase  to  assist  in  supplying 
informed  inputs,  making  the  tradeoffs,  and  assuring  that  adequate  time, 
money,  and  equipment  are  available  for  verification  of  the  system 
performance.  The  plan  should  include  the  concept  of  performance  growth 
because  new,  unproven  devices  and  materials  are  often  being  applied,  and 
their  capabilities,  response,  and  lifetime  have  to  be  validated.  But  it 
is  important  that  the  entire  emphasis  not  be  placed  on  favorable 
piece-part  characteristics  and  response,  since  circuit  design  and 
component  derating  are  also  critical  factors  in  both  reliability  and 
nuclear  survivability. 

The  comparison  of  reliability  and  nuclear  survivability  is  valid  in 
that  similarities  of  planning,  expert  assistance,  and  control  procedures 
are  indicated.  However,  the  controlled  parameters  and  the  circuit 
design  philosophies  are  somewhat  different.  A system  may  be  very 
reliable  and  yet  quite  vulnerable  to  nuclear  radiation,  and  vice  versa. 

The  constraints  on  a design  engineer  are  performance,  cost, 
schedule,  size,  and  weight.  These  are  the  immediate,  measurable  system 
features.  Reliability  and  nuclear  survivability  are  more  distant, 
abstract,  and  often  less  important. 

Reliability  engineering  and  nuclear  survivability  design  are 
specialties  of  design  engineering.  To  assume  that  a competent  design 
engineer  has  a working  knowledge  of  the  nuances  of  reliability  and 
nuclear  survivability  is  fallacious. 

When  one  addresses  the  reliability  and  nuclear  survivability  of 
equipments  from  the  concept  phase  following  a logical  and  firm  path,  the 
reliability  and  survivability  goals  can  be  met  cost  effectively  and 
timely.  But  all  too  often  the  near-term  influences  dominate  the 
long-term  payoffs. 
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hPPENDIX  a. “THE  LIFE  CYCLE  SYSTEM  MANAGEMENT  MODEL  FOR  ARMY  SYSTEMS 


This  material  is  extracted  from  DA  Pamphlet  11-25,  Life  Cycle  System 
Management  Model  for  Army  Systems  (23  January  1975) . The  model  is  a 
simplified  flow  chart  representing  the  life  cycle  of  an  Army  system  from 
conception  to  fielding  of  finished  equipment,  personnel  training, 
product  improvement,  maintenance,  and  phase  out  or  disposal  of  unneeded 
equipment.  In  this  brief  description,  only  the  major  events  are 
related.  In  a given  system  development  program,  certain  events  (or 
possibly  entire  phases)  may  be  bypassed  if  the  information  already 
exists  or  if  the  required  developmental  work  has  already  been  performed 
or  is  otherwise  unnecessary.  However,  if  there  is  any  controversy 
regarding  cost,  complexity,  or  high  visibility,  the  event  or  phase  may 
then  become  mandatory.  There  are  four  phases  in  the  life  cycle  of  any 
Army  system:  conceptual,  validation,  full-scale  development,  and 
production  and  deployment. 

In  the  conceptual  phase , the  combat  development  agencies , usually 
the  Army's  Training  and  Doctrine  Command  (TRADOC) , examine  threat 
projections,  technology  available  and  forecasted,  and  Joint  Services  and 
Army  plans  to  determine  the  operational  capabilities  and  potential 
materiel  systems  that  could  improve  the  Army's  effectiveness.  A Letter 
of  Agreement  (LOA)  is  signed  by  the  combat  and  materiel  developers  in 
which  they  outline  basic  agreements  for  further  investigation  of  a 
potential  materiel  system.  During  this  phase,  the  basic  research  and 
the  applied  research  are  performed  that  lead  up  to  the  breadboards  or 
experimental  prototype.  They  also  agree  in  the  LOA  upon  the  nature  and 
characteristics  of  the  proposed  system  and  the  tests  required  to 
validate  the  system  concept. 

A Special  Task  Force  (or  Special  Study  Group)  is  then  assembled  by 
the  Army  Chief  of  Staff  and  is  normally  composed  of  the  Charter  Task 
Force  Director,  representatives  of  the  materiel  and  combat  developers, 
the  trainer,  the  operational  tester,  and  perhaps  a Project  Manager 
designee.  This  group  prepares  a Decision  Coordinating  Paper  (DCP, 
previously  called  Development  Concept  Paper)  or  an  Army  or  Defense 
Program  Memorandum,  which  presents  the  rationale  for  starting, 
continuing,  reorienting,  or  stopping  a development  program.  It 
identifies  the  issues  in  a decision  and  assesses  the  important  factors 
such  as  threat,  risks,  military  and  economic  consequences,  and  critical 
problems  to  be  resolved  by  test  and  evaluation.  They  also  prepare  a 
Concept  Formulation  Package,  which  includes  tradeoff  determination  and 
analysis,  best  technical  approach,  and  cost  and  operational 
effectiveness  analysis.  The  tradeoff  determination  studies  the 
technical  and  economic  feasibility  of  each  approach  to  a realization  of 
a potential  system  including  the  risks  involved  with  each.  In  the 
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tradeoff  determination/  the  Special  Task  Force  decides  which  technical 
approaches  are  best.  From  these  documents  (including  a final  report) / 
an  Outline  Development  Plan  (ODP)  is  prepared  that  records  program 
decisions  and  analyzes  technical  options  and  plans  for  development  of 
the  system  in  the  validation  phase. 

These  documents / plus  an  Independent  Parametric  Cost  Estimate  (per- 
formed by  the  Comptroller  of  the  Army  before  entry  into  each  succeeding 
phase) / are  submitted  for  review  and  acceptance  at  the  first  meeting  of 
the  Army  Systems  Acquisition  Review  Council  (ASARC-I) . After  favorable 
review/  the  Army  accepts  the  DCP.  Then  it  is  submitted  at  the  first 
meeting  of  the  Defense  Systems  Acquisition  Review  Council  (DSARC-I)  and 
then  to  the  Secretary  of  Defense  for  final  acceptance.  These  ASARC  and 
DSARC  reviews  are  performed  for  major  systems  to  determine  whether  a 
phase  is  complete  and  if  the  program  is  ready  for  the  succeeding  phase. 
The  level  of  review  (i.e./  ASARC  or  DSARC)  is  determined  by  the 
importance  of  the  dollar  value  of  the  system.  For  nonmajor  systems/  the 
final  review  could  be  at  the  Army  Materiel  Development  and  Readiness 
Command  level  and  is  called  the  In  Process  Review. 

In  the  validation  phase/  preliminary  design  and  engineering  are 
verified  experimentally  and  analytically.  Tradeoff  proposals  are 
analyzed/  and  logistics  problems  are  identified.  A contract  is  awarded 
to  develop  prototypes  representing  complete  systems  (advanced 
development  prototype) . The  prototypes  are  then  submitted  for  the  first 
set  of  Development  and  Operational  Tests  (DT/OT-I) . Development  testing 
is  performed  to  determine  that  the  design  risks  are  minimized,  the 
engineering  is  complete/  solutions  to  problems  are  at  hand/  and  the 
system  meets  or  will  meet  its  specifications  (including  nuclear/  if 
applicable).  Operational  testing  is  conducted  to  determine  a system's 
military  utility  with  representative  users  in  an  environment  as 
realistic  as  possible/  its  operational  effectiveness/  and  its 
operational  suitability/  including  compatibility/  reliability/ 
availability,  maintainability,  logistic  support,  tactics,  and  training 
requirements.  If  possible,  the  new  equipment  should  be  compared  with 
existing  equipment. 

These  test  results  are  used  in  preparing  the  Required  Operational 
Capability  (ROC) , the  Development  Plan,  and  the  Provisional  Qualitative 
and  Quantitative  Personnel  Requirements  Information.  The  ROC  is  a short 
document  stating  the  essential  operational,  technical,  logistic,  and 
cost  information  required  to  initiate  development  or  procurement  of  a 
system.  The  Development  Plan  contains  the  ROC  and  expands  upon  the  ODP. 
The  Development  Plan  is  s\±)mitted  for  review  and  approval  by  ASARC-II 
or  DSARC-II  or  both,  as  appropriate,  to  determine  whether  the  program  is 
ready  for  full-scale  development. 
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During  the  full-scale  development  phase,  the  system,  including  all 
items  necessary  for  its  support,  is  fully  developed  and  engineered, 
built,  and  tested.  The  resulting  engineering  development  prototype 
should  be  a preproduction  system  closely  approximating  the  final 
product.  Also  included  in  the  output  for  this  phase  is  the 
documentation  to  enter  the  production  phase , including  draft  field 
manuals,  and  test  results  of  DT/OT-II  supporting  entry  to  the  production 
phase.  Producibility  Engineering  and  Planning  (PEP)  is  conducted  during 
the  full-scale  development  phase  to  assure  facility  of  volume 
production.  These  PEP  activities  include  developing  data  packages, 
designing  special  production  equipment  or  tooling,  and  possibly 
designing  computer  models  of  the  production  process  to  identify 
production  problems.  Long-lead-time  requirements  also  must  be 
identified.  Again,  the  DT/OT-II  results  and  the  updated  Development 
Plan  are  presented  for  review  and  approval  by  the  appropriate-level 
committee  to  determine  the  system's  readiness  for  transition  to  Low-Rate 
Initial  Production  (LRIP)  in  the  production  and  deployment  phase. 

Finally,  the  production  and  deployment  phase  begins  with  a contract 
for  LRIP.  This  is  intended  to  provide  an  adequate  number  of 
production-line  items  for  final  DT/OT-III.  The  purpose  is  to  minimize 
the  government's  exposure  to  large  retrofitting  problems  and  expenses  if 
production  deficiencies  are  discovered  or  modifications  are  proposed  for 
product  improvements.  A production  validation  In-Process  Review  may  be 
conducted  if  initial  production  items  do  not  meet  their  required 
specifications.  This  is  conducted  by  the  materiel  and  combat  developers 
and  the  Deputy  Chief  of  Staff  for  Research,  Development,  and 
Acquisition.  First  editions  of  technical  and  field  manuals  are 
submitted  for  publication-  The  test  results  from  DT/OT-III  and  the 
newly  updated  Development  Plan  are  submitted  for  review  and  approval  to 
enter  full  production  and  deployment. 

Full-scale  production  is  then  authorized,  including  any  necessary 
retrofitting.  Final  Qualitative  and  Quantitative  Personnel  Requirements 
Information  is  determined  and  is  used  to  determine  whether  new  Military 
Occupational  Specialties  should  be  created.  A new  Table  of  Organization 
and  Equipment  is  drafted,  reviewed,  approved,  and  published.  Personnel 
are  trained,  and  an  Initial  Operational  Capability  is  achieved  by  a 
troop  unit  using  production  items.  After  a period  of  time,  the  materiel 
developer  accumulates  maintenance  data  from  field  units  for  developing 
an  Annual  Maintenance  Man-Hours  data  package.  This  package  is  provided 
to  TRADOC  for  preparation  of  the  Manpower  Authorization  Criteria,  which 
is  used  to  revise  the  Table  of  Organization  and  Equipment.  Unneeded  or 
obsolete  equipment  is  scheduled  for  phase  out  or  disposal.  When 
adequate  numbers  of  new  equipment  and  spare  parts  are  available, 
production  may  cease  until  further  units  are  required. 
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Recently,  according  to  the  magazine  AMC  News,  the  Army  changed  its 
development  test  procedure  to  reduce  duplicate  testing.  More  reliance 
will  be  placed  on  contractor  testing,  and  the  Army's  role  will  shift 
from  that  of  independent  tester  to  independent  evaluator.  The  Army 
Materiel  Systems  Analysis  Agency  will  perform  the  independent  evaluation 
for  the  Army.  The  Test  and  Evaluation  Command  will  become  more  of  a 
service  organization,  providing  facilities  and  expertise  and  performing 
test  services  for  the  government  and  its  contractors.  Contractor  data 
from  the  Research  and  Development  Acceptance  Test  will  be  validated  to 
determine  whether  additional  testing  is  necessary. 
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